question

JonRippon-3509 avatar image
0 Votes"
JonRippon-3509 asked JonathanRippon-6000 commented

Target Condional Access Policy to AVD Hostpools

We plan to run multiple instances (different subscriptions) of Azure Virtual Desktop all using the same Azure AD.

Is it possible to target a Conditional Access policy to AVD host pool or setup something using the CA Authentication Context to achieve this?

Many Thanks

azure-virtual-desktopazure-ad-authenticationazure-ad-conditional-access
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JonRippon-3509 Thank you for your query!!!

For sure Conditional Access Policy can be applied to AVD but can you help me understand the end goal like what you are trying to achieve so I can help you out better?

Thanks

0 Votes 0 ·

@prmanhas-MSFT

We have a customer who is using AVD to publish a simple desktop( no apps or tools) for users to connect to.

We require our own instance of AVD to have session hosts with the required tools to manage the environment. We would like to secure our AVD instance so that it is only accessible from internal/ the first AVD instance but both instances are using the same Azure AD but in different subscriptions.

Worth noting its the same user AD account for both instances

Thanks

0 Votes 0 ·

1 Answer

prmanhas-MSFT avatar image
1 Vote"
prmanhas-MSFT answered JonathanRippon-6000 commented

@JonathanRippon-6000 I had discussion with our internal team on this and below is the response I got from our internal team:

The CA policies are checked at the user authentication not when they connect to a host pool hence we are afraid the mentioned is not possible. We could raise it as technical feedback process since it is already posted on Q&A it can be considered as a feedback post. One more thing is if it is more around Conditional Access for location based rather than users the feedback has been shared internally already and it might be working by next semester.

Alternatively; as you might already know we can create a AD Security Group contains only those users who need to have access to "AVD Host Pool 01" and set CA for a group. Will this help in your usecase?
In our CA condition we have 2 filter User Group & Application ID as AVD:

128746-image.png

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.




image.png (631.6 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@prmanhas-MSFT

Thanks for the info, How would this work if users were in both AD groups but with different CA policy`s applied. Primarily the one for AVD instance 2 with a location restriction?

Thanks

0 Votes 0 ·

@JonathanRippon-6000 CA policies aren’t applied in any particular order. All matching policys apply and the resulting access controls required by the policies will be merged. So even though there is a user in both AD groups with different conditional access applied both of them will be applied on that user as the resultant. If both grant and block policies match, block will always win. We use the Conditional Access What If-tool in the following examples to demonstrate what happens.

You can use this tool to get better idea how the policy will be applied ultimately.

Hope it helps!!!

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.




0 Votes 0 ·

@JonathanRippon-6000 Any update on the issue?

Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

0 Votes 0 ·

Thanks for your help. Have converted to answer

0 Votes 0 ·